b'                    OFFICE O F INSPECTOR GENERAL\n                   CORPORATION FOR NATIONAL AND\n                        COMMUNITY SERVICE\n\n\n\n\n                          OIG Letter Report Regarding\n                 Limited Network Security Assessment Testing\n\n\n\n\n                            OIG Report Number 02-23\n                                 April 10, 2002\n\n\n\n\n                        GSA Contract No. GS-23F-8127H\n                      Purchase Order No. CNSIG-02-G-0002\n\n\n\n\n                        FOR OFFICIAL USE ONLY\n\nThis letter report contains information about Corporation computer security\npractices and vulnerabilities. All recipients of this report should take care to\nprevent the unauthorized disclosure of the report or its contents. Requests for\nrelease of this report or its contents must be referred to the Inspector General.\n\x0c                                                                                                        CORPORATION\n                                     Office of Inspector General                                        FOR NATIONAL\n                           Corporation for National and Community Service\n\n                                               Audit Report 02-23\n\n                                     OIG Letter Report Regarding\n                              Limited Network Security Assessment Testing\n\nIntroduction\n\nOIG engaged KPMG LLP to conduct limited follow up penetration testing on selected servers of\nthe local area network at the Corporation\'s headquarters in an effort to replicate the results of\ntesting conducted in August 2001 in connection with OIG\'s evaluation of the Corporation\'s\ninformation security practices and its compliance with the Government Information Security\nReform Act (GISRA).\n\nDuring the August testing, KPMG\'s evaluators identified some indications that malicious software,\nspecifically Net Spy and Trojan Cow, might be present on four of the Corporation\'s servers. The\nCorporation\'s information technology personnel reviewed these results, concluded that they were\n"false-positive", and determined that no further action was necessary at that time.\n\nIn connection with the annual audit of the Corporation\'s Financial Statements for fiscal year 2001\nand in consultation with the Corporation\'s staff, OIG decided to retest the affected servers in April\n2002 to determine whether any indications of malicious software were still present. The\nevaluators concluded that neither Net Spy nor Trojan Cow software were present on the servers.\nKPMG and Corporation information technology personnel agreed that the August indicators were\nindeed "false-positive" results.\n\nUnder GISRA\'s requirements and implementing guidance from the Office of Management and\nBudget (OMB), the Corporation and OIG will conduct additional evaluations of the Corporation\'s\ninformation security program during the fourth quarter of fiscal year 2002.\n\nBecause this report concerns Corporation computer security practices and vulnerabilities, its\ndistribution is limited to OIG and Corporation management and CIO personnel who have a need to\nknow the information in order to perform their official duties. It is also available upon request to\nOMB and the United States Congress. Due to the security matters discussed, however, this report\nis exempt from release to the general public.\n\n\n\n\n                                                                                                    Inspector General\n                                                CONFIDENTIAL                                        1201 New York Avenue, NW\n               Release of this report or its contents must be authorized by the Inspector General   Washington, DC 20525\n\x0c             2001 M Street. N.W.\n             Washington, DC 20036\n\n\n\n\nApril 10,2002\n\nInspector General\nCorporation for National and Community Service\nWashington, DC 20525\n\nAt your request, KPMG LLP (KPMG) on April 10, 2002 performed limited penetration\ntesting on four (4) specific servers located on the local area network at the Corporation\nfor National and Community Service headquarters.\n\nBackground\n\nThis testing was done as a follow-up to penetration testing KPMG had previously\nperformed in August 2001 as part of the evaluation of the Corporation\'s compliance with\nthe Government Information Security Reform Act (GISRA). During the August testing\nthe preliminary results indicated the possible presence of malicious software on four (4)\nof the Corporation\'s sewers. The type of vulnerability identified by the testing could\npermit an unauthorized person with malicious intent to cause significant harm to the\nCorporation\'s systems.      Subsequent investigation by the Corporation\'s information\ntechnology (IT) staff concluded that the results were a "false-positive", and that no\nfurther action was necessary. Normally, KPMG would have re-performed the testing or\ntaken other steps to independently verify the conclusions of the Corporation\'s staff.\nHowever, in this case, for a variety of reasons, that could not be done at the time.\nSubsequently, KPMG recommended that the severity of preliminary findings was such\nthat it would be prudent to re-test the sewers in question and to verify the Corporation\'s\nconclusions.\n\nResults in Brief\n\nOn April loth W M G with the assistance of the Corporation\'s staff, re-scanned the\nservers in question, and performed other procedures in an attempt to replicate the August\nresults. During part one of the testing, KPMG did not find any signs of the malicious Net\nSpy Trojan software on any of the four servers. During part two of the testing, KPMG\nwas able to replicate the symptoms that originally indicated the possibility of the\nmalicious Trojan Cow software. However, subsequent procedures done in cooperation\nwith the Corporation\'s IT staff were mutually agreed to disprove the presence of Trojan\nsoftware. And, it was mutually concluded that the original indications were, in fact, a\n"false-positive". At that point all objectives for the testing had been met.\n\n\n                                            CONFIDENTIAL\n           Release of this report or its contents must be authorized by the Inspector General\n\n\n\n\n1111            KPMG LLP KPMG LLP a U S l m ~ t e dihab~lttypmnershp, s\n                a member of KPMG lnternafonal, a Swiss assomtlon\n\x0cThe Appendix to this report provides the technical details of the testing steps that were\nperformed. Much of the relevant information about testing results is presented in the\nform of screen captures that were taken during the process.\n\nWe conducted our procedures in accordance auditing standards generally accepted in the\nUnited States of America and the standards applicable to performance audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States.\n\nDistribution\n\nAs required by the Government Corporation Control Act, this report is intended solely for\nthe information and use of the Corporation for National and Community Service and its\nInspector General, and is not intended to be and should not be used by anyone other than\n\n\n\n\n                                             CONFIDENTIAL\n            Release of this report or its contents must be authorized by the Inspector General\n\x0c                   CORPORATION FOR NATIONAL AND COMMUNITY SERVICE\n                        LIMITED NETWORK SECURITY ASSESSMENT\n\nPurpose:     To describe the methodology used and test results from the limited penetration testing\nperformed on four servers at the Corporation for National and Community Service on April 10,2002.\n\nSummary\n\nScreen-capture shots in the following sections show the step-by-step methodology KPMG used during the\nnetwork security assessment. They also show the results of each test step. Because this was a "focused"\nassessment (a follow up examination), KPMG only scanned four servers with "Super Scan and FSCAN"\nscanners. KPMG was verifying whether or not Net Spy or Trojan Cow trojans were listening on ports 1033ltcp\nand 2001Itcp on any of following servers:\n\n\n\n\nKPMG verified that Net Spy was not present on the four servers. More detail on this is provided in subsequent\nsection of this appendix. KPMG did find Port 2001 was open on the ACS server. However, it was concluded\nthat the Access Control Server that is running Cisco Secure Access Control Server software is using that port.\n\nTest Steps:\n\nStep 1.       KPMG performed a "port scan" using the Superscan tool and found 10.0.0.9 to be running a\nmailserver, webserver, NETBIOS connections, SSL, and MSsql server, as shown in figure 1.\n[Note: The KPMG tester\'s ip address was 10.0.6.131\n\n\n\n\n              I       25   simple M a i l ~ r a n s f e r\n                      I     2 2 0 - s q l t e s t . c n s . g o v M i c r 0 ~ 0 f tSMTP MAIL r e a d y a t wed, 1 0 Apr 2002 09:50:4:\n              1-      80   w o r l d Wide web HTTP\n                      I     H T T P / ~ . 403  ~        Access orb id den. . s e r v e r : ~ i c r o s o f t - 1 1 s j 4 . 0 . ate: wed, 1 0 A[:\n              1      135   DCE endpoint r e s o l u t i o n\n              1      139   NETBIOS s e s s i o n s e r v i c e\n              1      443   h t t p s Mcom\n              1      465   ssmtp\n                      I     2 2 0 - s q l t e s t . c n s . g o v M i c r o s o f t SMTP MAIL r e a d y a t wed, 1 0 Apr 2002 09:50:JE\n              1-   1030    BBN IAD\n                           BBN IAD\n                           ~i  crosoft-SQL-server\n\n\n\n\nAppendix                                                                                                                   Page A- l\n                                                      CONFIDENTIAL\n                   Release of this report or its contents must be authorized by the CNS Inspector General\n\x0cStep 2.      KPMG performed a "port scan" using the Superscan tool and found 10.0.0.32 to be running a\nwebserver, NETBIOS connections, and a MSsql server, as shown in figure 2.\n\n\n\n\n                             w o r l d w i d e web HTTP\n                             DCE e n d p o i n t r e s o l u t i o n\n                             NETBIOS sess io n S e r v i c e\n                             BBN I A D\n                             Microsoft-SQL-server\n\n\n\n\n                                                                       Figure 2.\n\n\nStep 3.         KPMG performed a "port scan" using the Superscan tool and found 10.0.0.37 to be using\nvarious ports, none of which contained any Trojans. All ports that are open appear to be normal or open as a\nresult of using third-party software, as shown in figure 3.\n\n\n\n\n     1     1-\n           1\n                     27\n                    110\n                           NSW u s e r system FE\n                           Post o f f i c e P r o t o c o l - V e r s i o n 3\n                       I    +OK ~ i c r o s o f t Exchange POP3 s e r v e r v e r s i o n 5.5.2653.23                       ready. .\n           1         1 1 9 Network NEWS ~ r a n s f e rP r o t o c o l\n                       1-   200 ~ i ~ r 0 5 0 ~        f tx c h a n g eI n t e r n e t News s e r v i c e v e r s i o n 5 .,5.2653.23 ( p o s t i n g\n           1-        1 3 5 DcE e n d p o i n t r e s o l u t i o n\n           1        1 3 9 NETBIOS S e s s i o n S e r v i c e\n           I         143 I n t e r n e t Messaae Access p r o t o c o l\n                       I - * OK M? c r o s o f f Exchange I M A P 4 r e v l s e r v e r v e r s i o n 5.5.2653.23 (exchange. cns\n               -     1 9 9 SMUX\n               -     389 ~i    g h t w e i g h t D i r e c t o r y Access p r o t o c o l\n               -     563 snews\n               -     636 s s l - l d a p\n               -     995 ssL based pop3\n               -   1673 I n t e l p r o s h a r e ~ u l t i c a s t\n               -   1 6 7 6 netcomml\n                       I    n c a c n - h t t.d- l . 0\n           1       1683 ncpm-hi\n           1\n                       I                 R\n                            ncacn- t t p / l . 0\n                   1695 r r i l m\n                       I - ncacn-htt p / l . 0\n           1-      1713 Conf erenceTa1 k\n           1       1 7 1 6 xmsg\n                       I- n c a c n - h t t p / l . 0\n           I       1 9 8 7 c i s c o RSRB P r i o r i t y 1 p o r t\n                      I        .............................\n           I       2301      compaq ~ n s i g h tManager\n\n\n\n                                                                       Figure 3.\n\n\nAppendix                                                                                                                            Page A-2\n                                                             CONFIDENTIAL\n                          Release of this report or its contents must be authorized by the CNS Inspector General\n\x0cStep 4.      KPMG performed a "port scan" using the Superscan tool and found 10.0.0.69 was running\nNetbios connections. In addition, it appears that port 2000,2001, and 2002 are listening, as shown in figure 4.\n\n\n\n\n                                                               Figure 4.\n\n\nStep 5.       Because scanning tools sometimes give differing results, the above scans were repeated with a\nsecond tool. KPMG performed a "port scan" on 10.0.0.9 using the Fscan and obtained results similar to the\nSuperScan results, as shown in figure 5.\n\n\n\n\nII   Scan started at Wed Apr 10 O9:42 :49 2002\n\n  10.0.0.9                25/tcp\n     220-sqltest.cns.gov Microsoft SHTP MAIL ready at Wed, 10 Apr 2002 09:51:25\n       -0400 Version: 5.5.1774.114.11[0D][OA]220   ESXTP spoken here[OD][OA]\n  10.0.0.9                8O/tcp\n     HTTP/ 1.1 400 Bad Request [OD] [OI]Server: Mlcrosoft-IIS/4.0[0D] [Oh]Date: Wed\n     , 10 Apr 2002 13 :5l:25 GMT[OD] [Oh]Content-Type: text/html[OD] [Oh]Content-L\n     ength: 87[OD] [Oh] [OD][Oh]\n  10.0.0.9              139/tcp\n      [831 COO1 LOO1 Loll [SF1\n  10.0.0.9               135/tcp\n  10.0.0.9              443/tcp\n  10.0.0.9             1433/tcp                            I\n  10.0.0.9               135/udp\n  10.0.0.9               137/udp\n  10.0.0.9               138/udp\n\n     Scan finished at Wed Apr 10 09:42:54 2002\n     Time taken: 32 ports in 5.248 secs (6.10 ports/sec)\n\n\n\n                                                               Figure 5.\n\n\n\n\nAppendix                                                                                                          Page A-3\n                                                            CONFIDENTIAL\n                         Release of this report or its contents must be authorized by the CNS Inspector General\n\x0cStep 6.       KPMG performed a "port scan" using the Fscan on 10.0.0.32 and obtained results similar to the\nSuperscan results, as shown in figure 6.\n\n\n\n\n I Scan    s t a r t e d a t Wed Apr 10 09:38:52           2002\n\n 10.0.0.32            139/tcp\n    L831 LOO1 LOO1 1011 [8FI\n 10.0.0.32              80/ t c p\n 10.0.0.32            135/tcp\n 10.0.0.32           1433/tcp\n 10.0.0.32              53/udp\n 10.0.0.32            135/udp\n 10.0.0.32            137/udp\n 10.0.0.32            138/udp\n\n  S c a n f i n i s h e d a t Wed Apr 10 0 9 : 3 8 : 5 8 2002\n  Time t a k e n : 32 p o r t s i n 6.600 s e c s ( 4 . 8 5 p o r t s / s e c )\n\n\n\n\nStep 7:       KPMG performed a "port scan" using the Fscan on 10.0.0.37 and obtained results similar to the\nSuperscan results, as shown in figure 7.\n\n\n\n\n  I Scan   s t a r t e d a t Wed Apr 10 0 9 : 3 9 : 1 6     2002\n\n  10.0.0.37                  139/tcp\n     1831 1001 LOO1 [Oil 18FI\n  10.0.0.37                  llO/tcp\n     +OK M l c r o s o f t Exchange POP3 s e r v e r v e r s i o n 5 . 5 . 2 6 5 3 . 2 3 readyCOD1 [Oh]\n  10.0.0.37                  119/tcp\n     200 M i c r o s o f t Exchange I n t e r n e t News S e r v i c e V e r s i o n 5 . 5 . 2 6 5 3 . 2 3 ( p o s t i n g\n     a l l o w e d ) [OD] [OA]\n  10.0.0.37                  135/tcp\n  10.0.0.37                  389/tcp                                                                               1\n  10.0.0.37                  135/udp\n  10.0.0.37                  137/udp\n  10.0.0.37                  138/udp\n  10.0.0.37                  16l/udp\n  10.0.0.37                  162/udp\n\n   S c a n f i n i s h e d a t Wed Apr 10 0 9 : 3 9 : 2 4 2002\n   Time t a k e n : 32 p o r t s i n 8 . 0 6 1 s e c s ( 3 . 9 7 p o r t s / s e c )\n\n\n\n\n Appendix                                                                                                                    Page A-4\n                                                                      CONFIDENTIAL\n                                   Release of this report or its contents must be authorized by the CNS Inspector General\n\x0cStep 8:       KPMG performed a "port scan" using the Fscan on 10.0.0.69 and obtained results similar to the\nSuperscan results, as shown in figure 8.\n\n\n\n\n I Scan   s t a r t e d a t Wed Apr 10 0 9 : 3 9 : 4 1 2002\n\n\n\n\n  Scan f i n i s h e d a t Wed Ipr 10 0 9 : 3 9 : 4 9 2002\n  Time t a k e n : 32 ports i n 8 . 0 3 1 s e c s ( 3 . 9 8 ports/sec)\n\n\n\n\nStep 9:        KPMG found port 2001 open, as had been the case during the August testing. Following the\ntesting procedure used in the prior testing, the Trojan Cow client was run, and again appeared to make a\nconnection, as shown in figure 9.\n\n\n\n\nAppendix                                                                                                                Page A-5\n                                                                  CONFIDENTIAL\n                               Release of this report or its contents must be authorized by the CNS Inspector General\n\x0cStep 10:      As a method of testing whether the Trojan Cow client actually had connected to the server, an\nattempt was made to use two of the trojan\'s functions. However, KPMG was unable to open the CD tray using\nthe Trojan Cow client, as shown in figure 10.\n\n\n\n\n                                                        Figure 10.\n\n\nStep 11:      And, KPMG was unable to start a process running on the server. An attempt was made to startup\nnotepad.exe on 10.0.0.69, but was unable to do so, as shown in figure 11.\n\n\n\n\nAfter checking in the above manner, it was concluded that the Trojan Cow client was not really making a\nconnection to the server, and that the indications of a connection were a "false-positive". The Corporation\'s IT\nstaff provided the information that the Cisco Secure Access Control Server software was currently running on\n10.0.0.69, and, the most logical conclusion was that it was the ACS software that was using port 2001.\n\n\nStep 12:       Subsequent to the testing done at CNCS, KPMG independently verified through vendor\ndocumentation that the ACS software does use ports 2000, 2001, and 2002 as default settings. Information\nregarding the Cisco Secure ACS and ports associated with the software can be found at:\n                                          view.pl?p=Software:Cisco Secure ACS NT.\nhttp://www.cisco.com/pc~i-bin/Support/PSP/psp\n\n\n\n\nAppendix                                                                                                     Page A-6\n                                                     CONFIDENTIAL\n                    Release of this report or its contents must be authorized by the CNS Inspector General\n\x0c'